EDUCAUSE 2003: Creating a Computer Security Incident .../media/files/library/... · Creating a CSIRT Page 4 © 2003 Carnegie Mellon University Creating a CSIRT -silde 7 What Can Be

Creating a CSIRT Page 1

CERT® Coordination CenterNetworked Systems SurvivabilitySoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890

© 2003 Carnegie Mellon University® CERT, CERT Coordination Center, and Carnegie Mellon are registered in the U.S. Patent and Trademark Office

EDUCAUSE 2003:Creating a Computer Security Incident Response Team (CSIRT)

Robin RuefleCERT® CSIRT Development TeamNovember 4–7

© 2003 Carnegie Mellon University - slide 2Creating a CSIRT

© Carnegie Mellon University 2003.

This work is the intellectual property of Carnegie Mellon University. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from Carnegie Mellon.



Imagine...

...that one of the most critical systems for your institution has been compromised and sensitive or proprietary data has been accessed, deleted, or modified…


Incident Reports are Increasing



Current Situation

Today we see• a general increase in the number and type of

organizations being affected by computer security incidents

• a decrease in the amount of time to respond• a more focused awareness by organizations on the need

for security policies and practices as part of their overall risk-management strategies

• new laws and regulations that affect how organizations are required to protect information assets

• the realization that systems and network administrators alone cannot protect organizational systems and assets


Why Are We Here?

Even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen.• When computer security incidents occur, it will be critical

for an organization to have an effective means of responding.

• The speed with which an organization can recognize, analyze, and respond to an incident will limit the damage done and lower the cost of recovery.



What Can Be Done?

As a defense against Internet security threats, organizations can• keep up to date with the latest operating system patches

and product updates • install perimeter and internal defenses such as routers,

firewalls, scanners, and intrusion detection systems• update and expand computer security policies and

procedures• provide security awareness training to employees,

customers, and constituents• create an organizational CSIRT


What is a CSIRT?

An organization or team that provides services and support, to a defined constituency, for preventing, handling and responding to computer security incidents



What Does a CSIRT Do?

In general a CSIRT • provides a single point of contact for reporting local problems• identifies and analyzes what has happened including the impact

and threat• researches solutions and mitigation strategies• shares response options, information, and lessons learned

A CSIRT’s goal is to • minimize and control the damage• provide or assist with effective response and recovery• help prevent future events from happening

No single team can be everything to everyone!


Benefits of a CSIRT

Reactive• focused response effort• more rapid, standardized, and coordinated response• stable cadre of staff with incident handling expertise,

combined with functional business knowledge• collaboration with others in security community

Proactive• enabler of organizational business goals• supplier of authentic risk data and business intelligence• input into product development cycle or network operations• assistance in performing vulnerability assessments and

development of security policies



Process versus Technology

Incident Handling is not just the application of technology to resolve computer security events.

It is the development of a plan of action, a response plan that• integrates into the existing processes and organizational structures • strengthens and improves the capability of the constituency to

effectively manage computer security events• is part of an overall strategy to protect and secure critical business

functions and assets.

It is the establishment of processes for• notification and communication• collaboration and coordination• analysis and response


Creating an Effective CSIRT

To be effective, a CSIRT requires four basic elements• an operational framework • a service and policy framework • a quality assurance framework • the capability to adapt to a changing environment and

changing threat profiles



Building Your Vision


Basic Implementation Steps• Get approval and support from

management.

• Identify who will need to be involved.

• Have an announcement sent out by management.

• Select a project team.

• Collect information. - Research what other

organizations are doing.

- Identify existing processes and workflows.

- Interview key stakeholders and participants.

• With input from stakeholders, determine- CSIRT mission- CSIRT range and levels of service- CSIRT reporting structure, authority,

and organizational model- identify interactions with key parts of

the constituency- define roles and responsibilities for

interactions.

• Create a plan based on the vision or framework.

• Obtain feedback on the plan.• Build CSIRT.• Announce CSIRT.• Get feedback.



Who Needs to Be Involved

Internal CSIRT• business managers• IT and telecommunications• legal counsel• human resources• public relations or media relations• physical security• risk management• law enforcement liaisons or investigations• general representatives from constituency


Where Do You Begin?What’s already in place – create a matrix of expertise• What expertise exists?• What tools and processes are already in place?

Brainstorm and discuss – design the workflow• What is the desired response and notification strategy?• What needs to be changed with the addition of a CSIRT?• How does the CSIRT fit into any disaster recovery or

business continuity plans?

Implementation – build staff and processes• Develop the interim plan.• Develop the long term plan.



Gather Information

Key information to gather includes• What needs does the constituency have?• What are the critical assets that must be protected?• What types of incidents are frequently reported?• What computer security problems exist?• What type of response is needed?• What assistance and expertise is needed?• What processes are required?• Who will perform what role?• Is anyone currently performing that role?• Who needs to be involved in the notification or

escalation processes?


Existing Resources That May Help

Available resources that may provide information• organization charts for the enterprise and specific

business functions• topologies for organizational or constituency systems

and networks• critical system and asset inventories • existing disaster recovery or business continuity plans• existing guidelines for notifying the organization of a

physical security breach• any existing incident response plans• any parental or institutional regulations



Achieve Consensus

Definition of CSIRT • mission• services• roles and responsibilities• authority• interactions

Definition of computer security incidents• classifications• priorities• escalation criteria


Range of CSIRT Services



Base Set of CSIRT ServicesReactive Services• alerts and warnings• incident handling- incident analysis- and at least one of the following: incident response resolution,

incident response support, incident response coordination

• vulnerability handling- vulnerability response coordination

Proactive Services• announcements

Security Quality Management Services• awareness building • security consulting – particularly developing security policies


CSIRT Organizational Models

• Security Team - incident handling is done ad hoc by those in the organization responsible for system and network infrastructures.

• Internal Distributed Team – utilizes existing staff to provide a “virtual” distributed CSIRT, formally chartered to deal with incident response activities.

• Internal Centralized Team – a centrally located, dedicated CSIRT that provides incident handling services.

• Combined Distributed and Centralized Team – a combination of the distributed CSIRT and the centralized CSIRT.

• Coordinating CSIRT – coordinates and facilitates the handling of incidents across a variety of internal or external organizations.



CSIRT Resources

Staff Skills• personal communication • technical• security and incident response

Equipment• office and test facilities• remote access and communications

Infrastructure• physical location and working space• protection of CSIRT data • secured systems and networks


Some Basic Requirements• incident reporting and tracking system• communications mechanisms- hotline or helpdesk- web site and/or ftp site- mailing distribution lists- cell phones and pagers

• secure communications mechanisms- PGP keys or digital certificates for signing CSIRT

documents and mailings- secure phones- intranets or extranets

• secured access to CSIRT facilities



Incident Reporting Guidelines

These guidelines define • how your constituency interacts with your CSIRT• what constitutes an incident• what types of incidents to report• who should report an incident• why an incident should be reported• the process for reporting an incident• the process for responding to an incident

For an example see the CERT/CC Incident Reporting Guidelines: http://www.cert.org/tech_tips/incident_reporting.html


Incident Handling MethodologyPrepare• security awareness training• notification lists• expertise matrix and non-

disclosures• original media and backups• patch, configuration, and

change management systems

Detect• network monitoring and

intrusion detection• constituency reports• public or private mailing lists• proactive scanning

Respond• verify• contain• notify• analyze• research• recover• follow-up

Improve• perform a post mortem• harden systems• update response policies and

procedures



There is No Single Recipe

There is no single recipe for creating a CSIRT.

It depends on your • needs and requirements • mission and goals• available resources and support


Common Problems

Failure to • include all involved parties• achieve consensus• develop an overall vision and framework• outline and document policies and procedures

Organizational battles

Taking on too many services

Unrealistic expectations or perceptions

Lack of time, staff, and funding



About that Incident…Ask Yourself

• How would your organization respond to this type of incident if it happened now?

• Who would respond? Who should respond? Who else needs to be involved?

• What would the response be?• Who makes these decisions?• How would you like your organization to respond?• What formalized processes do you need to put in

place?• What formalized personnel assignments do you need

to make?• What training do those involved require?


Resources That Can Help

• The Handbook for CSIRTs, Second Editionhttp://www.cert.org/archive/pdf/csirt-handbook.pdf

• The State of the Practice of CSIRTshttp://www.cert.org/archive/pdf/03tr001.pdf

• Creating a Computer Security Incident Response Team: A Process for Getting Startedhttp://www.cert.org/csirts/Creating-A-CSIRT.html

• Forming an Incident Response Teamhttp://www.auscert.org.au/render.html?it=2252&cid=1920

• Avoiding the Trial-by-Fire Approach to Security Incidentshttp://interactive.sei.cmu.edu/news@sei/columns/security_matters/1999/mar/security_matters.htm

• CERT Security Practice: Responding to Intrusionshttp://www.cert.org/security-improvement/modules/m06.html



Additional Resources

Relevant RFCs• Site Security Handbook

http://www.ietf.org/rfc/rfc2196.txt

• Expectations for Computer Security Incident Responsehttp://www.ietf.org/rfc/rfc2350.txt

• Internet Security Glossaryhttp://www.ietf.org/rfc/rfc2828.txt

• Guidelines for Evidence Collection and Archivinghttp://www.ietf.org/rfc/rfc3227.txt


And More Resources

Other Resources include:• The Center for Education and Research in Information

Assurance and Securityhttp://www.cerias.purdue.edu/

• Security Focus Incident Forumhttp://www.securityfocus.org/incidents

• The National Institute of Standards and Technology:Draft Computer Security Incident Handling Guidehttp://csrc.nist.gov/publications/drafts/draft_sp800-61.pdf

• The U.S. Department of JusticeComputer Crime and Intellectual Property Section (CCIPS)http://www.cybercrime.gov/



Contact Information

Robin RuefleCERT® CSIRT Development TeamNetworked Systems SurvivabilitySoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890

[email protected]://www.cert.org/csirts/+1 412 268-7090

Documents

EDUCAUSE 2003: Creating a Computer Security Incident .../media/files/library/... · Creating a CSIRT Page 4 © 2003 Carnegie Mellon University Creating a CSIRT -silde 7 What Can Be